Post SolarWinds, the federal government wants to level up its logging capabilities

A recent White House executive order on cybersecurity looks to make big hacks like the SolarWinds campaign harder to pull off by imposing new requirements on the kind of data that federal agencies must log and store.

Now, the Office of Management and Budget, which sets administrative policy for the rest of the civilian government, has outlined a policy framework for what agencies should include. The document, released Friday afternoon, details specifics around how to set up requirements for logging, log retention, and log management correctly to “ensure centralized access and visibility for the highest-level security operations center of each agency.”

In a memo signed by Acting Director Shalanda Young, OMB sets up a tiered maturity model that agencies should measure their logging practices against.

“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident,” Young wrote in the memo. “Information from logs on federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats.”

Achieving a basic logging posture (Tier 1) includes properly formatted timestamps, status codes, device identifiers, source and destination data for IPv4 and IPv6 response time, unique identifiers and other telemetry like passive DNS monitoring. That data must be encrypted and verified by the agency, and they should begin planning at this stage for how they might leverage automated tools like security orchestration and automated response in the future.

Tier 2 includes documenting a log schema to give the Cybersecurity and Infrastructure Security Agency, perform full traffic inspection of metadata, incorporate zero trust principles around access and make that data available for use in “the highest-level security operations at the head of each agency.”

The most advanced posture, Tier 3, involves implementing automated hunt and response capabilities like SOAR, start tracking behavioral analytics and integrate container security and monitoring tools into their security event information management systems.

Agencies have two months to measure their current practices against the model, a year to meet Tier 1 requirements and two years before they’re required to operate at Tier 3, the highest level. They also need to be able to share those logs with the CISA and other relevant agencies to bolster the kind of investigation and incident response activities that followed the SolarWinds incident and other broad hacks affecting the government.

Under the new policy, CISA and the FBI will also advise agencies and test the logging capabilities of other agencies, while the National Institute for Standards and Technology will incorporate the memo into their existing technical requirements for logging that agencies and contractors must follow.